Why this is important

If you’re the owner of a VPS or dedicated server hosting websites, then this should concern you. You might think, “It’s an easy fix. I’ll restore all my sites from before the malware attack and I’ll have all my customers up in no time.”

A few negative points here for you:

Your websites will be shut-down by your hosting provider

Your domain(s) could be listed on phishtank.com

Your IP address could be blacklisted by a number of SPAM blacklist sites

Browsers could show a warning page before people try to visit your websites

Point 1 is temporary. Many hosting providers will deactivate your server until the issues are resolved – but most often you will suffer some downtime.

Point 2 may or may not cause you any issues. Some sites and browsers using the phishtank list block your site if you’re listed on there.

Point 3 is more severe if you’re hosting email for your websites on the same server. While many of the SPAM blacklists will remove your IP address or domain from their list quickly (sometimes within 10 – 15 minutes) others like Gmail will take weeks. Gmail doesn’t have a request process like Google does for websites. They monitor email coming from your IP address to their addresses for up to 4 weeks. If they don’t receive any other SPAM, then they’ll delist your IP address.

Point 4 we hear quite frequently. All this does is prolong the process of root cause analysis – how did this happen? Not to sound all “CSI” on you, but you could be writing over forensic information. Then it’s an educated guess as to how it happened.

Point 5 can be serious. Many of you spend large amounts of time getting your sites or your customer’s sites ranked highly for keywords. That will drop quickly if your website gets listed by one of the search engines for sending SPAM or hosting phishing files. Sometimes your rankings will return in about a week or so. However, if your server is infected again, the repeated drops will accumulate and it may take a lot more work to regain your search engine rankings.

Point 6 also affects your search engine rankings – backlinks. You spend a lot of time building up reputable backlinks. If the websites that link back to your site drop you, can you get them back? What will they need to know that your site or sites are safe again?

The last point, browsers showing a warning page, will usually go away within 24 to 48 hours after the infection has been removed and steps taken to secure the websites.

Possibly the best reason for you to be concerned is that anyone you know could fall victim to one of these phishing scams and lose their identity, lose their bank account balance or any number of potentially damaging events.

Why VPS and dedicated servers?

Why would hackers focus on VPS and dedicated servers? We believe the hackers know that these aren’t monitored by the hosting companies quite like the shared hosting accounts are. Some of the managed servers are, but many of people buying the VPS or dedicated server service don’t go with the managed offerings.

Hackers love VPS’s and dedicated servers because they have control over all the resources.

Some of the phishing sites we see are actually subdomains of a domain on the server. For instance, if you had a VPS with a website domain of xyz.com. The hackers could setup a subdomain of pplogin.xyz.com. Would you notice that?

Probably not.

Hackers could send out millions of SPAM emails from your server and you wouldn’t know until you started getting bounce-backs of emails that were blocked or were sent to non-existent email addresses. Or your hosting provider shuts you down or worse yet, your website customers start complaining.

Often times the reseller and shared hosting accounts are monitored by the hosting provider and those types of accounts don’t have the resources that a server (VPS or dedicated) has. That’s why hackers love VPS and dedicated servers.

What can done?

Prevention can take many paths. First, you can be certain that your server is not being used to send phishing SPAM. The second path is to reduce the amount of phishing SPAM your clients are subjected to. Next, make certain your server isn’t being used to distribute this phishing SPAM. Last, be diligent about the files on your server. Are any of them phishing files? If so, how did they get there?

One of the easiest steps to take is to make certain your SPF record is setup correctly. This works toward reducing the potential of hackers spoofing or forging one of your domains. Here’s our slideshare about this:

There are many ways to reconfigure SpamAssassin in your cPanel to reduce the amount of SPAM your webhosting customers are subjected to. If they don’t see as much SPAM, there’s a greater chance they won’t be fooled by any of it and fall victim to the phishing SPAM.

Have your email queue checked frequently. If you see a higher than normal amount of email being sent out, have it investigated to be sure it’s not SPAM.

Finally setup file integrity monitoring on your website files. You’ll want to be notified quickly if any phishing files have been uploaded to your server. You’ll not only want to be notified, but you’ll also want to know how it happened.

The external website scanners don’t see the phishing files because there is no link from the website to the phishing files. The only way sites like phishtank can find these phishing files is from the large volunteer network they have. These volunteers will collect the phishing SPAM emails and record the phishing URL and post it on phishtank.com.

Conclusion

It’s important that you focus on SPAM in general but definitely phishing files. A few steps, that require little time, can help you help others.

Education is the first step. Please share this with other VPS or dedicated server owners, web developers and others.

This past week has seen another influx of infected WordPress sites. This time, it’s another plugin: custom-contact-forms.

Their website shows a total of 630,792 downloads as of this blog post, so it appears to be quite popular.

It was last updated on August 4, 2014, however, again, it does not seem like many people are keeping their WordPress AND plugins updated.

What we’re seeing is in the wp-content/plugins/custom-contact-forms/import folder, typically 2 files that have a series of numbers and end with .sql.php. The files we’ve seen usually have some bogus looking Joomla code in them. Yes, you read that correctly, Joomla looking code.

There have other files as well, but these appear to be the hackers first uploads to a vulnerable website.

From there the hackers have uploaded phishing files, other backdoors, emailers and other malicious code.

Many of the most recent infections we’ve found are on either VPS’s or dedicated servers. If they have all the websites on one cPanel, then the hackers can and do, infect many of the other websites as well.

A scenario we see frequently is where there are let’s say 10 websites on a single cPanel. The hackers will find a way in on website number 3. They don’t leave their code there, because they don’t want to attract your attention to that site. They’ll infect say, websites 5, 6, 7 and 8.

That way you focus your malware removal efforts on that site and they keep coming in on website number 3. They may also put backdoor shells on websites 1 and 2. These backdoor shells allow them to have remote access to your files after you remove their original point of entry on website number 3.

For this reason, we recommend that each website be on it’s own cPanel. Yes, it’s a hassle, but so is having all of your websites down while the one is the original point of entry.

This entire sequence of events can be prevented if you’re very diligent about keeping your WordPress and it’s plugins updated – daily.

Thank you for reading. If you have any questions, please do not hesitate to ask here. Also, if you want to share this, please do.

This weekend (yes we work weekends) we saw an outbreak of VPS and dedicated servers infected by what appears to be a vulnerability in the wysija-newsletters (MailPoet) WordPress plugin.

This plugin was identified as vulnerable over 2 weeks ago and the authors have released a new version. If you’re reading this, then please, please, please, update your plugins immediately and set a reminder in your smartphone, your computer or anywhere and every where else, to check your WordPress and your plugins for updates every 3 days at a minimum.

Hosting accounts, whether the are VPS’s, dedicated servers for on a shared hosting account were hit.

Basically almost every .php file on an account was injected with code across the top of each file. In addition two files were uploaded as well. Usually we saw one license.php file and then another backdoor shell either in the wp-admin or wp-includes folders. Most of the license.php files we found were 201 bytes in size.

One other point of entry left by the hackers is an administrator user with no name. This user must be deleted and all plugins updated.

You’ll notice that all the original date/time stamps of the files are kept. This leads us to believe that the backdoor shell they’ve uploaded allows them to modify almost anything about a file.

The vulnerability allows hackers to bypass admin authentication in wysija-newsletters plugin and upload files. The hackers access those files remotely and start injecting their malicious payload into every .php file their program can find. This means that it will cross sub-domains on the same account.

The attacker will upload a file to: wp-content/uploads/wysija/themes and run it. Fortunately, our protection does not allow php files to be executed in the uploads folder – so even before this was discovered, many of our customers were already protected.

If you have a VPS or dedicated server with only one cPanel and all your sites under that, then basically every website is probably infected on your server. If you’re on a shared hosting account with multiple websites and one of them has the wysija-newsletters plugin (MailPoet), then chances are that all of your websites are infected.

We’ve been working feverishly to get this cleaned up, but some of the infections overwrite the existing file and they’re not always very good. Frequently we’ve have to replace plugins and/or themes because there is code missing from the file after the infection.

Trend Micro has released a report which gives some details about the automation of website hacking. Their report: http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackos-software-package-sold-in-underground-forums/ set us off on a search for more information.

We found that this software allows hackers to manage large lists of stolen FTP credentials. The hackers can easily inject custom iframe code into compromised websites. The code can be modified to redirect visitors depending on their operating system (Mac, Windows, etc.), browser (Safari, FireFox, Internet Explorer, Chrome, etc.) and even different versions of those operating systems and browsers.

They can even customize their code to redirect based on the referrer (Google, Yahoo, Bing…) and country of origin.

When you see how the hackers talk about easily finding 10,000 websites, it becomes very alarming. One clip we found is this:

Approximately 15-20% have access to FTP SSH, you can also check behind mail + pass on base have access to FTP or SSH. – all accounts reviewed by our SSH server exploits to get root. With 10k SSH accounts you can get in the area of 500 root access to the servers!

What it appears they’re saying is that 15-20% of FTP accounts are also the credentials for SSH. If so, the hackers can gain “root” access via SSH.

Out of 10K accounts you can get about 500 with server root access! Simple backdoor is installed for all ‘root’s to elevate the rights for consequent access.

If you’re on a VPS or dedicated server, this type of access typically means complete server rebuild or reload. When they have root access it’s game over. They won.

Why do we bring this to your attention?

You have to constantly think about all the possible ways hackers have of getting into your server – always.

Frequently we see many FTP accounts created for the various websites on a VPS or dedicated server. If you’re going to host multiple websites on your server, please create a separate cPanel account for each site. That creates a separation between your sites.